CVE-2025-1971: 
WordPress vulnerability analysis and mitigation

The Export and Import Users and Customers plugin for WordPress is vulnerable to PHP Object Injection in versions up to and including 2.6.2 via deserialization of untrusted input from the 'form_data' parameter. The vulnerability was discovered and disclosed on March 22, 2025 (NVD).

The vulnerability allows authenticated attackers with Administrator-level access to inject PHP Objects through the deserialization of untrusted input. The issue exists in the plugin's handling of the 'form_data' parameter. The vulnerability has been assigned a CVSS v3.1 Base Score of 7.2 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H (NVD).

While no known POP (Property Oriented Programming) chain is present in the vulnerable software itself, if another plugin or theme containing a POP chain is installed on the target system, attackers could potentially delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present (NVD).

The vulnerability has been patched in version 2.6.3 of the plugin. Users are advised to update to this version immediately. The update includes fixes for PHP Object Injection along with other security improvements like protection against Server-Side Request Forgery and Directory Traversal (WordPress Plugin).